Re: [PHPLIB] preauth problem.. From: Kristian Köhntopp (kk <email protected>)
Date: 10/29/99

Humberto Ortiz Zuazaga wrote:
> <DANGER>
> If you have any page on your site that uses default authentication, then auth
> is not sufficent to protect any other page, you must use perm to protect pages.
> </DANGER>

Well, each login process has three phases,

- Identification,
- Authentication
- and Authorization.

Auth does the Identification (you claim to have certain user identity)
and the Authentication (you must prove that you actually are the user
who you claim to be by presenting some kind of proof, e.g. knowledge
of the password or proper response to a challenge).

Perm does the Authorization, that is, for the authenticated identity
Perm looks up the associated user rights.

With default authentication, Auth does create some credentials with
no privileges en passant and hands out other credentials with more
privilege only if the user specifically asks for it. It is still
your task to check credentials to protect your information by checking
privilege, not the existence of any credentials.

> Section 3.8 of the docs should be modified to include a warning about default
> authentication. In particular the example "How is the auth class used
> usually?" should use $perm->check() like 1.4, the $auth->login_if($auth->
> auth["uid"] == "nobody"); trick, or at least warn about default authentication.

Changed in CVS.

Kristian 

-- 
Kristian Köhntopp, NetUSE Kommunikationstechnologie GmbH
Siemenswall, D-24107 Kiel, Germany, +49 431 386 436 00
Using PHP3? See our web development library at
http://phplib.netuse.de/ (We have moved! Update your bookmarks!)
-
PHP3 Base Library Mailing List. Send messages to <phplib <email protected>>.
To unsubscribe, send "unsubscribe" to <phplib-request <email protected>> in
the body, not the subject, of your message.